xref: /freebsd/sys/netpfil/ipfw/nptv6/nptv6.c (revision ce6a89e27cd190313be39bb479880aeda4778436)
1 /*-
2  * Copyright (c) 2016 Yandex LLC
3  * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26  */
27 
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30 
31 #include <sys/param.h>
32 #include <sys/systm.h>
33 #include <sys/counter.h>
34 #include <sys/eventhandler.h>
35 #include <sys/errno.h>
36 #include <sys/kernel.h>
37 #include <sys/lock.h>
38 #include <sys/malloc.h>
39 #include <sys/mbuf.h>
40 #include <sys/module.h>
41 #include <sys/rmlock.h>
42 #include <sys/rwlock.h>
43 #include <sys/socket.h>
44 #include <sys/queue.h>
45 #include <sys/syslog.h>
46 #include <sys/sysctl.h>
47 
48 #include <net/if.h>
49 #include <net/if_var.h>
50 #include <net/netisr.h>
51 #include <net/pfil.h>
52 #include <net/vnet.h>
53 
54 #include <netinet/in.h>
55 #include <netinet/ip_var.h>
56 #include <netinet/ip_fw.h>
57 #include <netinet/ip6.h>
58 #include <netinet/icmp6.h>
59 #include <netinet6/in6_var.h>
60 #include <netinet6/ip6_var.h>
61 
62 #include <netpfil/ipfw/ip_fw_private.h>
63 #include <netpfil/ipfw/nptv6/nptv6.h>
64 
65 VNET_DEFINE_STATIC(uint16_t, nptv6_eid) = 0;
66 #define	V_nptv6_eid	VNET(nptv6_eid)
67 #define	IPFW_TLV_NPTV6_NAME	IPFW_TLV_EACTION_NAME(V_nptv6_eid)
68 
69 static eventhandler_tag nptv6_ifaddr_event;
70 
71 static struct nptv6_cfg *nptv6_alloc_config(const char *name, uint8_t set);
72 static void nptv6_free_config(struct nptv6_cfg *cfg);
73 static struct nptv6_cfg *nptv6_find(struct namedobj_instance *ni,
74     const char *name, uint8_t set);
75 static int nptv6_rewrite_internal(struct nptv6_cfg *cfg, struct mbuf **mp,
76     int offset);
77 static int nptv6_rewrite_external(struct nptv6_cfg *cfg, struct mbuf **mp,
78     int offset);
79 
80 #define	NPTV6_LOOKUP(chain, cmd)	\
81     (struct nptv6_cfg *)SRV_OBJECT((chain), (cmd)->arg1)
82 
83 #ifndef IN6_MASK_ADDR
84 #define IN6_MASK_ADDR(a, m)	do { \
85 	(a)->s6_addr32[0] &= (m)->s6_addr32[0]; \
86 	(a)->s6_addr32[1] &= (m)->s6_addr32[1]; \
87 	(a)->s6_addr32[2] &= (m)->s6_addr32[2]; \
88 	(a)->s6_addr32[3] &= (m)->s6_addr32[3]; \
89 } while (0)
90 #endif
91 #ifndef IN6_ARE_MASKED_ADDR_EQUAL
92 #define IN6_ARE_MASKED_ADDR_EQUAL(d, a, m)	(	\
93 	(((d)->s6_addr32[0] ^ (a)->s6_addr32[0]) & (m)->s6_addr32[0]) == 0 && \
94 	(((d)->s6_addr32[1] ^ (a)->s6_addr32[1]) & (m)->s6_addr32[1]) == 0 && \
95 	(((d)->s6_addr32[2] ^ (a)->s6_addr32[2]) & (m)->s6_addr32[2]) == 0 && \
96 	(((d)->s6_addr32[3] ^ (a)->s6_addr32[3]) & (m)->s6_addr32[3]) == 0 )
97 #endif
98 
99 #if 0
100 #define	NPTV6_DEBUG(fmt, ...)	do {			\
101 	printf("%s: " fmt "\n", __func__, ## __VA_ARGS__);	\
102 } while (0)
103 #define	NPTV6_IPDEBUG(fmt, ...)	do {			\
104 	char _s[INET6_ADDRSTRLEN], _d[INET6_ADDRSTRLEN];	\
105 	printf("%s: " fmt "\n", __func__, ## __VA_ARGS__);	\
106 } while (0)
107 #else
108 #define	NPTV6_DEBUG(fmt, ...)
109 #define	NPTV6_IPDEBUG(fmt, ...)
110 #endif
111 
112 static int
113 nptv6_getlasthdr(struct nptv6_cfg *cfg, struct mbuf *m, int *offset)
114 {
115 	struct ip6_hdr *ip6;
116 	struct ip6_hbh *hbh;
117 	int proto, hlen;
118 
119 	hlen = (offset == NULL) ? 0: *offset;
120 	if (m->m_len < hlen)
121 		return (-1);
122 	ip6 = mtodo(m, hlen);
123 	hlen += sizeof(*ip6);
124 	proto = ip6->ip6_nxt;
125 	while (proto == IPPROTO_HOPOPTS || proto == IPPROTO_ROUTING ||
126 	    proto == IPPROTO_DSTOPTS) {
127 		hbh = mtodo(m, hlen);
128 		if (m->m_len < hlen)
129 			return (-1);
130 		proto = hbh->ip6h_nxt;
131 		hlen += (hbh->ip6h_len + 1) << 3;
132 	}
133 	if (offset != NULL)
134 		*offset = hlen;
135 	return (proto);
136 }
137 
138 static int
139 nptv6_translate_icmpv6(struct nptv6_cfg *cfg, struct mbuf **mp, int offset)
140 {
141 	struct icmp6_hdr *icmp6;
142 	struct ip6_hdr *ip6;
143 	struct mbuf *m;
144 
145 	m = *mp;
146 	if (offset > m->m_len)
147 		return (-1);
148 	icmp6 = mtodo(m, offset);
149 	NPTV6_DEBUG("ICMPv6 type %d", icmp6->icmp6_type);
150 	switch (icmp6->icmp6_type) {
151 	case ICMP6_DST_UNREACH:
152 	case ICMP6_PACKET_TOO_BIG:
153 	case ICMP6_TIME_EXCEEDED:
154 	case ICMP6_PARAM_PROB:
155 		break;
156 	case ICMP6_ECHO_REQUEST:
157 	case ICMP6_ECHO_REPLY:
158 		/* nothing to translate */
159 		return (0);
160 	default:
161 		/*
162 		 * XXX: We can add some checks to not translate NDP and MLD
163 		 * messages. Currently user must explicitly allow these message
164 		 * types, otherwise packets will be dropped.
165 		 */
166 		return (-1);
167 	}
168 	offset += sizeof(*icmp6);
169 	if (offset + sizeof(*ip6) > m->m_pkthdr.len)
170 		return (-1);
171 	if (offset + sizeof(*ip6) > m->m_len)
172 		*mp = m = m_pullup(m, offset + sizeof(*ip6));
173 	if (m == NULL)
174 		return (-1);
175 	ip6 = mtodo(m, offset);
176 	NPTV6_IPDEBUG("offset %d, %s -> %s %d", offset,
177 	    inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)),
178 	    inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)),
179 	    ip6->ip6_nxt);
180 	if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_src,
181 	    &cfg->external, &cfg->mask))
182 		return (nptv6_rewrite_external(cfg, mp, offset));
183 	else if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_dst,
184 	    &cfg->internal, &cfg->mask))
185 		return (nptv6_rewrite_internal(cfg, mp, offset));
186 	/*
187 	 * Addresses in the inner IPv6 header doesn't matched to
188 	 * our prefixes.
189 	 */
190 	return (-1);
191 }
192 
193 static int
194 nptv6_search_index(struct nptv6_cfg *cfg, struct in6_addr *a)
195 {
196 	int idx;
197 
198 	if (cfg->flags & NPTV6_48PLEN)
199 		return (3);
200 
201 	/* Search suitable word index for adjustment */
202 	for (idx = 4; idx < 8; idx++)
203 		if (a->s6_addr16[idx] != 0xffff)
204 			break;
205 	/*
206 	 * RFC 6296 p3.7: If an NPTv6 Translator discovers a datagram with
207 	 * an IID of all-zeros while performing address mapping, that
208 	 * datagram MUST be dropped, and an ICMPv6 Parameter Problem error
209 	 * SHOULD be generated.
210 	 */
211 	if (idx == 8 ||
212 	    (a->s6_addr32[2] == 0 && a->s6_addr32[3] == 0))
213 		return (-1);
214 	return (idx);
215 }
216 
217 static void
218 nptv6_copy_addr(struct in6_addr *src, struct in6_addr *dst,
219     struct in6_addr *mask)
220 {
221 	int i;
222 
223 	for (i = 0; i < 8 && mask->s6_addr8[i] != 0; i++) {
224 		dst->s6_addr8[i] &=  ~mask->s6_addr8[i];
225 		dst->s6_addr8[i] |= src->s6_addr8[i] & mask->s6_addr8[i];
226 	}
227 }
228 
229 static int
230 nptv6_rewrite_internal(struct nptv6_cfg *cfg, struct mbuf **mp, int offset)
231 {
232 	struct in6_addr *addr;
233 	struct ip6_hdr *ip6;
234 	int idx, proto;
235 	uint16_t adj;
236 
237 	ip6 = mtodo(*mp, offset);
238 	NPTV6_IPDEBUG("offset %d, %s -> %s %d", offset,
239 	    inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)),
240 	    inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)),
241 	    ip6->ip6_nxt);
242 	if (offset == 0)
243 		addr = &ip6->ip6_src;
244 	else {
245 		/*
246 		 * When we rewriting inner IPv6 header, we need to rewrite
247 		 * destination address back to external prefix. The datagram in
248 		 * the ICMPv6 payload should looks like it was send from
249 		 * external prefix.
250 		 */
251 		addr = &ip6->ip6_dst;
252 	}
253 	idx = nptv6_search_index(cfg, addr);
254 	if (idx < 0) {
255 		/*
256 		 * Do not send ICMPv6 error when offset isn't zero.
257 		 * This means we are rewriting inner IPv6 header in the
258 		 * ICMPv6 error message.
259 		 */
260 		if (offset == 0) {
261 			icmp6_error2(*mp, ICMP6_DST_UNREACH,
262 			    ICMP6_DST_UNREACH_ADDR, 0, (*mp)->m_pkthdr.rcvif);
263 			*mp = NULL;
264 		}
265 		return (IP_FW_DENY);
266 	}
267 	adj = addr->s6_addr16[idx];
268 	nptv6_copy_addr(&cfg->external, addr, &cfg->mask);
269 	adj = cksum_add(adj, cfg->adjustment);
270 	if (adj == 0xffff)
271 		adj = 0;
272 	addr->s6_addr16[idx] = adj;
273 	if (offset == 0) {
274 		/*
275 		 * We may need to translate addresses in the inner IPv6
276 		 * header for ICMPv6 error messages.
277 		 */
278 		proto = nptv6_getlasthdr(cfg, *mp, &offset);
279 		if (proto < 0 || (proto == IPPROTO_ICMPV6 &&
280 		    nptv6_translate_icmpv6(cfg, mp, offset) != 0))
281 			return (IP_FW_DENY);
282 		NPTV6STAT_INC(cfg, in2ex);
283 	}
284 	return (0);
285 }
286 
287 static int
288 nptv6_rewrite_external(struct nptv6_cfg *cfg, struct mbuf **mp, int offset)
289 {
290 	struct in6_addr *addr;
291 	struct ip6_hdr *ip6;
292 	int idx, proto;
293 	uint16_t adj;
294 
295 	ip6 = mtodo(*mp, offset);
296 	NPTV6_IPDEBUG("offset %d, %s -> %s %d", offset,
297 	    inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)),
298 	    inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)),
299 	    ip6->ip6_nxt);
300 	if (offset == 0)
301 		addr = &ip6->ip6_dst;
302 	else {
303 		/*
304 		 * When we rewriting inner IPv6 header, we need to rewrite
305 		 * source address back to internal prefix. The datagram in
306 		 * the ICMPv6 payload should looks like it was send from
307 		 * internal prefix.
308 		 */
309 		addr = &ip6->ip6_src;
310 	}
311 	idx = nptv6_search_index(cfg, addr);
312 	if (idx < 0) {
313 		/*
314 		 * Do not send ICMPv6 error when offset isn't zero.
315 		 * This means we are rewriting inner IPv6 header in the
316 		 * ICMPv6 error message.
317 		 */
318 		if (offset == 0) {
319 			icmp6_error2(*mp, ICMP6_DST_UNREACH,
320 			    ICMP6_DST_UNREACH_ADDR, 0, (*mp)->m_pkthdr.rcvif);
321 			*mp = NULL;
322 		}
323 		return (IP_FW_DENY);
324 	}
325 	adj = addr->s6_addr16[idx];
326 	nptv6_copy_addr(&cfg->internal, addr, &cfg->mask);
327 	adj = cksum_add(adj, ~cfg->adjustment);
328 	if (adj == 0xffff)
329 		adj = 0;
330 	addr->s6_addr16[idx] = adj;
331 	if (offset == 0) {
332 		/*
333 		 * We may need to translate addresses in the inner IPv6
334 		 * header for ICMPv6 error messages.
335 		 */
336 		proto = nptv6_getlasthdr(cfg, *mp, &offset);
337 		if (proto < 0 || (proto == IPPROTO_ICMPV6 &&
338 		    nptv6_translate_icmpv6(cfg, mp, offset) != 0))
339 			return (IP_FW_DENY);
340 		NPTV6STAT_INC(cfg, ex2in);
341 	}
342 	return (0);
343 }
344 
345 /*
346  * ipfw external action handler.
347  */
348 static int
349 ipfw_nptv6(struct ip_fw_chain *chain, struct ip_fw_args *args,
350     ipfw_insn *cmd, int *done)
351 {
352 	struct ip6_hdr *ip6;
353 	struct nptv6_cfg *cfg;
354 	ipfw_insn *icmd;
355 	int ret;
356 
357 	*done = 0; /* try next rule if not matched */
358 	ret = IP_FW_DENY;
359 	icmd = cmd + 1;
360 	if (cmd->opcode != O_EXTERNAL_ACTION ||
361 	    cmd->arg1 != V_nptv6_eid ||
362 	    icmd->opcode != O_EXTERNAL_INSTANCE ||
363 	    (cfg = NPTV6_LOOKUP(chain, icmd)) == NULL ||
364 	    (cfg->flags & NPTV6_READY) == 0)
365 		return (ret);
366 	/*
367 	 * We need act as router, so when forwarding is disabled -
368 	 * do nothing.
369 	 */
370 	if (V_ip6_forwarding == 0 || args->f_id.addr_type != 6)
371 		return (ret);
372 	/*
373 	 * NOTE: we expect ipfw_chk() did m_pullup() up to upper level
374 	 * protocol's headers. Also we skip some checks, that ip6_input(),
375 	 * ip6_forward(), ip6_fastfwd() and ipfw_chk() already did.
376 	 */
377 	ip6 = mtod(args->m, struct ip6_hdr *);
378 	NPTV6_IPDEBUG("eid %u, oid %u, %s -> %s %d",
379 	    cmd->arg1, icmd->arg1,
380 	    inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)),
381 	    inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)),
382 	    ip6->ip6_nxt);
383 	if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_src,
384 	    &cfg->internal, &cfg->mask)) {
385 		/*
386 		 * XXX: Do not translate packets when both src and dst
387 		 * are from internal prefix.
388 		 */
389 		if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_dst,
390 		    &cfg->internal, &cfg->mask))
391 			return (ret);
392 		ret = nptv6_rewrite_internal(cfg, &args->m, 0);
393 	} else if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_dst,
394 	    &cfg->external, &cfg->mask))
395 		ret = nptv6_rewrite_external(cfg, &args->m, 0);
396 	else
397 		return (ret);
398 	/*
399 	 * If address wasn't rewrited - free mbuf and terminate the search.
400 	 */
401 	if (ret != 0) {
402 		if (args->m != NULL) {
403 			m_freem(args->m);
404 			args->m = NULL; /* mark mbuf as consumed */
405 		}
406 		NPTV6STAT_INC(cfg, dropped);
407 		*done = 1;
408 	} else {
409 		/* Terminate the search if one_pass is set */
410 		*done = V_fw_one_pass;
411 		/* Update args->f_id when one_pass is off */
412 		if (*done == 0) {
413 			ip6 = mtod(args->m, struct ip6_hdr *);
414 			args->f_id.src_ip6 = ip6->ip6_src;
415 			args->f_id.dst_ip6 = ip6->ip6_dst;
416 		}
417 	}
418 	return (ret);
419 }
420 
421 static struct nptv6_cfg *
422 nptv6_alloc_config(const char *name, uint8_t set)
423 {
424 	struct nptv6_cfg *cfg;
425 
426 	cfg = malloc(sizeof(struct nptv6_cfg), M_IPFW, M_WAITOK | M_ZERO);
427 	COUNTER_ARRAY_ALLOC(cfg->stats, NPTV6STATS, M_WAITOK);
428 	cfg->no.name = cfg->name;
429 	cfg->no.etlv = IPFW_TLV_NPTV6_NAME;
430 	cfg->no.set = set;
431 	strlcpy(cfg->name, name, sizeof(cfg->name));
432 	return (cfg);
433 }
434 
435 static void
436 nptv6_free_config(struct nptv6_cfg *cfg)
437 {
438 
439 	COUNTER_ARRAY_FREE(cfg->stats, NPTV6STATS);
440 	free(cfg, M_IPFW);
441 }
442 
443 static void
444 nptv6_export_config(struct ip_fw_chain *ch, struct nptv6_cfg *cfg,
445     ipfw_nptv6_cfg *uc)
446 {
447 
448 	uc->internal = cfg->internal;
449 	if (cfg->flags & NPTV6_DYNAMIC_PREFIX)
450 		memcpy(uc->if_name, cfg->if_name, IF_NAMESIZE);
451 	else
452 		uc->external = cfg->external;
453 	uc->plen = cfg->plen;
454 	uc->flags = cfg->flags & NPTV6_FLAGSMASK;
455 	uc->set = cfg->no.set;
456 	strlcpy(uc->name, cfg->no.name, sizeof(uc->name));
457 }
458 
459 struct nptv6_dump_arg {
460 	struct ip_fw_chain *ch;
461 	struct sockopt_data *sd;
462 };
463 
464 static int
465 export_config_cb(struct namedobj_instance *ni, struct named_object *no,
466     void *arg)
467 {
468 	struct nptv6_dump_arg *da = (struct nptv6_dump_arg *)arg;
469 	ipfw_nptv6_cfg *uc;
470 
471 	uc = (ipfw_nptv6_cfg *)ipfw_get_sopt_space(da->sd, sizeof(*uc));
472 	nptv6_export_config(da->ch, (struct nptv6_cfg *)no, uc);
473 	return (0);
474 }
475 
476 static struct nptv6_cfg *
477 nptv6_find(struct namedobj_instance *ni, const char *name, uint8_t set)
478 {
479 	struct nptv6_cfg *cfg;
480 
481 	cfg = (struct nptv6_cfg *)ipfw_objhash_lookup_name_type(ni, set,
482 	    IPFW_TLV_NPTV6_NAME, name);
483 
484 	return (cfg);
485 }
486 
487 static void
488 nptv6_calculate_adjustment(struct nptv6_cfg *cfg)
489 {
490 	uint16_t i, e;
491 	uint16_t *p;
492 
493 	/* Calculate checksum of internal prefix */
494 	for (i = 0, p = (uint16_t *)&cfg->internal;
495 	    p < (uint16_t *)(&cfg->internal + 1); p++)
496 		i = cksum_add(i, *p);
497 
498 	/* Calculate checksum of external prefix */
499 	for (e = 0, p = (uint16_t *)&cfg->external;
500 	    p < (uint16_t *)(&cfg->external + 1); p++)
501 		e = cksum_add(e, *p);
502 
503 	/* Adjustment value for Int->Ext direction */
504 	cfg->adjustment = cksum_add(~e, i);
505 }
506 
507 static int
508 nptv6_check_prefix(const struct in6_addr *addr)
509 {
510 
511 	if (IN6_IS_ADDR_MULTICAST(addr) ||
512 	    IN6_IS_ADDR_LINKLOCAL(addr) ||
513 	    IN6_IS_ADDR_LOOPBACK(addr) ||
514 	    IN6_IS_ADDR_UNSPECIFIED(addr))
515 		return (EINVAL);
516 	return (0);
517 }
518 
519 static void
520 nptv6_set_external(struct nptv6_cfg *cfg, struct in6_addr *addr)
521 {
522 
523 	cfg->external = *addr;
524 	IN6_MASK_ADDR(&cfg->external, &cfg->mask);
525 	nptv6_calculate_adjustment(cfg);
526 	cfg->flags |= NPTV6_READY;
527 }
528 
529 /*
530  * Try to determine what prefix to use as external for
531  * configured interface name.
532  */
533 static void
534 nptv6_find_prefix(struct ip_fw_chain *ch, struct nptv6_cfg *cfg,
535     struct ifnet *ifp)
536 {
537 	struct epoch_tracker et;
538 	struct ifaddr *ifa;
539 	struct in6_ifaddr *ia;
540 
541 	MPASS(cfg->flags & NPTV6_DYNAMIC_PREFIX);
542 	IPFW_UH_WLOCK_ASSERT(ch);
543 
544 	if (ifp == NULL) {
545 		ifp = ifunit_ref(cfg->if_name);
546 		if (ifp == NULL)
547 			return;
548 	}
549 	NET_EPOCH_ENTER(et);
550 	CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
551 		if (ifa->ifa_addr->sa_family != AF_INET6)
552 			continue;
553 		ia = (struct in6_ifaddr *)ifa;
554 		if (nptv6_check_prefix(&ia->ia_addr.sin6_addr) ||
555 		    IN6_ARE_MASKED_ADDR_EQUAL(&ia->ia_addr.sin6_addr,
556 		    &cfg->internal, &cfg->mask))
557 			continue;
558 		/* Suitable address is found. */
559 		nptv6_set_external(cfg, &ia->ia_addr.sin6_addr);
560 		break;
561 	}
562 	NET_EPOCH_EXIT(et);
563 	if_rele(ifp);
564 }
565 
566 struct ifaddr_event_args {
567 	struct ifnet *ifp;
568 	const struct in6_addr *addr;
569 	int event;
570 };
571 
572 static int
573 ifaddr_cb(struct namedobj_instance *ni, struct named_object *no,
574     void *arg)
575 {
576 	struct ifaddr_event_args *args;
577 	struct ip_fw_chain *ch;
578 	struct nptv6_cfg *cfg;
579 
580 	ch = &V_layer3_chain;
581 	cfg = (struct nptv6_cfg *)SRV_OBJECT(ch, no->kidx);
582 	if ((cfg->flags & NPTV6_DYNAMIC_PREFIX) == 0)
583 		return (0);
584 
585 	args = arg;
586 	/* If interface name doesn't match, ignore */
587 	if (strncmp(args->ifp->if_xname, cfg->if_name, IF_NAMESIZE))
588 		return (0);
589 	if (args->ifp->if_flags & IFF_DYING) { /* XXX: is it possible? */
590 		cfg->flags &= ~NPTV6_READY;
591 		return (0);
592 	}
593 	if (args->event == IFADDR_EVENT_DEL) {
594 		/* If instance is not ready, ignore */
595 		if ((cfg->flags & NPTV6_READY) == 0)
596 			return (0);
597 		/* If address does not match the external prefix, ignore */
598 		if (IN6_ARE_MASKED_ADDR_EQUAL(&cfg->external, args->addr,
599 		    &cfg->mask) != 0)
600 			return (0);
601 		/* Otherwise clear READY flag */
602 		cfg->flags &= ~NPTV6_READY;
603 	} else {/* IFADDR_EVENT_ADD */
604 		/* If instance is already ready, ignore */
605 		if (cfg->flags & NPTV6_READY)
606 			return (0);
607 		/* If address is not suitable for prefix, ignore */
608 		if (nptv6_check_prefix(args->addr) ||
609 		    IN6_ARE_MASKED_ADDR_EQUAL(args->addr, &cfg->internal,
610 		    &cfg->mask))
611 			return (0);
612 		/* FALLTHROUGH */
613 	}
614 	MPASS(!(cfg->flags & NPTV6_READY));
615 	/* Try to determine the prefix */
616 	if_ref(args->ifp);
617 	nptv6_find_prefix(ch, cfg, args->ifp);
618 	return (0);
619 }
620 
621 static void
622 nptv6_ifaddrevent_handler(void *arg __unused, struct ifnet *ifp,
623     struct ifaddr *ifa, int event)
624 {
625 	struct ifaddr_event_args args;
626 	struct ip_fw_chain *ch;
627 
628 	if (ifa->ifa_addr->sa_family != AF_INET6)
629 		return;
630 
631 	args.ifp = ifp;
632 	args.addr = &((struct sockaddr_in6 *)ifa->ifa_addr)->sin6_addr;
633 	args.event = event;
634 
635 	ch = &V_layer3_chain;
636 	IPFW_UH_WLOCK(ch);
637 	ipfw_objhash_foreach_type(CHAIN_TO_SRV(ch), ifaddr_cb, &args,
638 	    IPFW_TLV_NPTV6_NAME);
639 	IPFW_UH_WUNLOCK(ch);
640 }
641 
642 /*
643  * Creates new NPTv6 instance.
644  * Data layout (v0)(current):
645  * Request: [ ipfw_obj_lheader ipfw_nptv6_cfg ]
646  *
647  * Returns 0 on success
648  */
649 static int
650 nptv6_create(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
651     struct sockopt_data *sd)
652 {
653 	struct in6_addr mask;
654 	ipfw_obj_lheader *olh;
655 	ipfw_nptv6_cfg *uc;
656 	struct namedobj_instance *ni;
657 	struct nptv6_cfg *cfg;
658 
659 	if (sd->valsize != sizeof(*olh) + sizeof(*uc))
660 		return (EINVAL);
661 
662 	olh = (ipfw_obj_lheader *)sd->kbuf;
663 	uc = (ipfw_nptv6_cfg *)(olh + 1);
664 	if (ipfw_check_object_name_generic(uc->name) != 0)
665 		return (EINVAL);
666 	if (uc->plen < 8 || uc->plen > 64 || uc->set >= IPFW_MAX_SETS)
667 		return (EINVAL);
668 	if (nptv6_check_prefix(&uc->internal))
669 		return (EINVAL);
670 	in6_prefixlen2mask(&mask, uc->plen);
671 	if ((uc->flags & NPTV6_DYNAMIC_PREFIX) == 0 && (
672 	    nptv6_check_prefix(&uc->external) ||
673 	    IN6_ARE_MASKED_ADDR_EQUAL(&uc->external, &uc->internal, &mask)))
674 		return (EINVAL);
675 
676 	ni = CHAIN_TO_SRV(ch);
677 	IPFW_UH_RLOCK(ch);
678 	if (nptv6_find(ni, uc->name, uc->set) != NULL) {
679 		IPFW_UH_RUNLOCK(ch);
680 		return (EEXIST);
681 	}
682 	IPFW_UH_RUNLOCK(ch);
683 
684 	cfg = nptv6_alloc_config(uc->name, uc->set);
685 	cfg->plen = uc->plen;
686 	cfg->flags = uc->flags & NPTV6_FLAGSMASK;
687 	if (cfg->plen <= 48)
688 		cfg->flags |= NPTV6_48PLEN;
689 	cfg->mask = mask;
690 	cfg->internal = uc->internal;
691 	IN6_MASK_ADDR(&cfg->internal, &mask);
692 	if (cfg->flags & NPTV6_DYNAMIC_PREFIX)
693 		memcpy(cfg->if_name, uc->if_name, IF_NAMESIZE);
694 	else
695 		nptv6_set_external(cfg, &uc->external);
696 
697 	if ((uc->flags & NPTV6_DYNAMIC_PREFIX) != 0 &&
698 	    nptv6_ifaddr_event == NULL)
699 		nptv6_ifaddr_event = EVENTHANDLER_REGISTER(
700 		    ifaddr_event_ext, nptv6_ifaddrevent_handler, NULL,
701 		    EVENTHANDLER_PRI_ANY);
702 
703 	IPFW_UH_WLOCK(ch);
704 	if (ipfw_objhash_alloc_idx(ni, &cfg->no.kidx) != 0) {
705 		IPFW_UH_WUNLOCK(ch);
706 		nptv6_free_config(cfg);
707 		return (ENOSPC);
708 	}
709 	ipfw_objhash_add(ni, &cfg->no);
710 	SRV_OBJECT(ch, cfg->no.kidx) = cfg;
711 	if (cfg->flags & NPTV6_DYNAMIC_PREFIX)
712 		nptv6_find_prefix(ch, cfg, NULL);
713 	IPFW_UH_WUNLOCK(ch);
714 
715 	return (0);
716 }
717 
718 /*
719  * Destroys NPTv6 instance.
720  * Data layout (v0)(current):
721  * Request: [ ipfw_obj_header ]
722  *
723  * Returns 0 on success
724  */
725 static int
726 nptv6_destroy(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
727     struct sockopt_data *sd)
728 {
729 	ipfw_obj_header *oh;
730 	struct nptv6_cfg *cfg;
731 
732 	if (sd->valsize != sizeof(*oh))
733 		return (EINVAL);
734 
735 	oh = (ipfw_obj_header *)sd->kbuf;
736 	if (ipfw_check_object_name_generic(oh->ntlv.name) != 0)
737 		return (EINVAL);
738 
739 	IPFW_UH_WLOCK(ch);
740 	cfg = nptv6_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set);
741 	if (cfg == NULL) {
742 		IPFW_UH_WUNLOCK(ch);
743 		return (ESRCH);
744 	}
745 	if (cfg->no.refcnt > 0) {
746 		IPFW_UH_WUNLOCK(ch);
747 		return (EBUSY);
748 	}
749 
750 	ipfw_reset_eaction_instance(ch, V_nptv6_eid, cfg->no.kidx);
751 	SRV_OBJECT(ch, cfg->no.kidx) = NULL;
752 	ipfw_objhash_del(CHAIN_TO_SRV(ch), &cfg->no);
753 	ipfw_objhash_free_idx(CHAIN_TO_SRV(ch), cfg->no.kidx);
754 	IPFW_UH_WUNLOCK(ch);
755 
756 	nptv6_free_config(cfg);
757 	return (0);
758 }
759 
760 /*
761  * Get or change nptv6 instance config.
762  * Request: [ ipfw_obj_header [ ipfw_nptv6_cfg ] ]
763  */
764 static int
765 nptv6_config(struct ip_fw_chain *chain, ip_fw3_opheader *op,
766     struct sockopt_data *sd)
767 {
768 
769 	return (EOPNOTSUPP);
770 }
771 
772 /*
773  * Lists all NPTv6 instances currently available in kernel.
774  * Data layout (v0)(current):
775  * Request: [ ipfw_obj_lheader ]
776  * Reply: [ ipfw_obj_lheader ipfw_nptv6_cfg x N ]
777  *
778  * Returns 0 on success
779  */
780 static int
781 nptv6_list(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
782     struct sockopt_data *sd)
783 {
784 	ipfw_obj_lheader *olh;
785 	struct nptv6_dump_arg da;
786 
787 	/* Check minimum header size */
788 	if (sd->valsize < sizeof(ipfw_obj_lheader))
789 		return (EINVAL);
790 
791 	olh = (ipfw_obj_lheader *)ipfw_get_sopt_header(sd, sizeof(*olh));
792 
793 	IPFW_UH_RLOCK(ch);
794 	olh->count = ipfw_objhash_count_type(CHAIN_TO_SRV(ch),
795 	    IPFW_TLV_NPTV6_NAME);
796 	olh->objsize = sizeof(ipfw_nptv6_cfg);
797 	olh->size = sizeof(*olh) + olh->count * olh->objsize;
798 
799 	if (sd->valsize < olh->size) {
800 		IPFW_UH_RUNLOCK(ch);
801 		return (ENOMEM);
802 	}
803 	memset(&da, 0, sizeof(da));
804 	da.ch = ch;
805 	da.sd = sd;
806 	ipfw_objhash_foreach_type(CHAIN_TO_SRV(ch), export_config_cb,
807 	    &da, IPFW_TLV_NPTV6_NAME);
808 	IPFW_UH_RUNLOCK(ch);
809 
810 	return (0);
811 }
812 
813 #define	__COPY_STAT_FIELD(_cfg, _stats, _field)	\
814 	(_stats)->_field = NPTV6STAT_FETCH(_cfg, _field)
815 static void
816 export_stats(struct ip_fw_chain *ch, struct nptv6_cfg *cfg,
817     struct ipfw_nptv6_stats *stats)
818 {
819 
820 	__COPY_STAT_FIELD(cfg, stats, in2ex);
821 	__COPY_STAT_FIELD(cfg, stats, ex2in);
822 	__COPY_STAT_FIELD(cfg, stats, dropped);
823 }
824 
825 /*
826  * Get NPTv6 statistics.
827  * Data layout (v0)(current):
828  * Request: [ ipfw_obj_header ]
829  * Reply: [ ipfw_obj_header ipfw_obj_ctlv [ uint64_t x N ]]
830  *
831  * Returns 0 on success
832  */
833 static int
834 nptv6_stats(struct ip_fw_chain *ch, ip_fw3_opheader *op,
835     struct sockopt_data *sd)
836 {
837 	struct ipfw_nptv6_stats stats;
838 	struct nptv6_cfg *cfg;
839 	ipfw_obj_header *oh;
840 	ipfw_obj_ctlv *ctlv;
841 	size_t sz;
842 
843 	sz = sizeof(ipfw_obj_header) + sizeof(ipfw_obj_ctlv) + sizeof(stats);
844 	if (sd->valsize % sizeof(uint64_t))
845 		return (EINVAL);
846 	if (sd->valsize < sz)
847 		return (ENOMEM);
848 	oh = (ipfw_obj_header *)ipfw_get_sopt_header(sd, sz);
849 	if (oh == NULL)
850 		return (EINVAL);
851 	if (ipfw_check_object_name_generic(oh->ntlv.name) != 0 ||
852 	    oh->ntlv.set >= IPFW_MAX_SETS)
853 		return (EINVAL);
854 	memset(&stats, 0, sizeof(stats));
855 
856 	IPFW_UH_RLOCK(ch);
857 	cfg = nptv6_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set);
858 	if (cfg == NULL) {
859 		IPFW_UH_RUNLOCK(ch);
860 		return (ESRCH);
861 	}
862 	export_stats(ch, cfg, &stats);
863 	IPFW_UH_RUNLOCK(ch);
864 
865 	ctlv = (ipfw_obj_ctlv *)(oh + 1);
866 	memset(ctlv, 0, sizeof(*ctlv));
867 	ctlv->head.type = IPFW_TLV_COUNTERS;
868 	ctlv->head.length = sz - sizeof(ipfw_obj_header);
869 	ctlv->count = sizeof(stats) / sizeof(uint64_t);
870 	ctlv->objsize = sizeof(uint64_t);
871 	ctlv->version = 1;
872 	memcpy(ctlv + 1, &stats, sizeof(stats));
873 	return (0);
874 }
875 
876 /*
877  * Reset NPTv6 statistics.
878  * Data layout (v0)(current):
879  * Request: [ ipfw_obj_header ]
880  *
881  * Returns 0 on success
882  */
883 static int
884 nptv6_reset_stats(struct ip_fw_chain *ch, ip_fw3_opheader *op,
885     struct sockopt_data *sd)
886 {
887 	struct nptv6_cfg *cfg;
888 	ipfw_obj_header *oh;
889 
890 	if (sd->valsize != sizeof(*oh))
891 		return (EINVAL);
892 	oh = (ipfw_obj_header *)sd->kbuf;
893 	if (ipfw_check_object_name_generic(oh->ntlv.name) != 0 ||
894 	    oh->ntlv.set >= IPFW_MAX_SETS)
895 		return (EINVAL);
896 
897 	IPFW_UH_WLOCK(ch);
898 	cfg = nptv6_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set);
899 	if (cfg == NULL) {
900 		IPFW_UH_WUNLOCK(ch);
901 		return (ESRCH);
902 	}
903 	COUNTER_ARRAY_ZERO(cfg->stats, NPTV6STATS);
904 	IPFW_UH_WUNLOCK(ch);
905 	return (0);
906 }
907 
908 static struct ipfw_sopt_handler	scodes[] = {
909 	{ IP_FW_NPTV6_CREATE, 0,	HDIR_SET,	nptv6_create },
910 	{ IP_FW_NPTV6_DESTROY,0,	HDIR_SET,	nptv6_destroy },
911 	{ IP_FW_NPTV6_CONFIG, 0,	HDIR_BOTH,	nptv6_config },
912 	{ IP_FW_NPTV6_LIST,   0,	HDIR_GET,	nptv6_list },
913 	{ IP_FW_NPTV6_STATS,  0,	HDIR_GET,	nptv6_stats },
914 	{ IP_FW_NPTV6_RESET_STATS,0,	HDIR_SET,	nptv6_reset_stats },
915 };
916 
917 static int
918 nptv6_classify(ipfw_insn *cmd, uint16_t *puidx, uint8_t *ptype)
919 {
920 	ipfw_insn *icmd;
921 
922 	icmd = cmd - 1;
923 	NPTV6_DEBUG("opcode %d, arg1 %d, opcode0 %d, arg1 %d",
924 	    cmd->opcode, cmd->arg1, icmd->opcode, icmd->arg1);
925 	if (icmd->opcode != O_EXTERNAL_ACTION ||
926 	    icmd->arg1 != V_nptv6_eid)
927 		return (1);
928 
929 	*puidx = cmd->arg1;
930 	*ptype = 0;
931 	return (0);
932 }
933 
934 static void
935 nptv6_update_arg1(ipfw_insn *cmd, uint16_t idx)
936 {
937 
938 	cmd->arg1 = idx;
939 	NPTV6_DEBUG("opcode %d, arg1 -> %d", cmd->opcode, cmd->arg1);
940 }
941 
942 static int
943 nptv6_findbyname(struct ip_fw_chain *ch, struct tid_info *ti,
944     struct named_object **pno)
945 {
946 	int err;
947 
948 	err = ipfw_objhash_find_type(CHAIN_TO_SRV(ch), ti,
949 	    IPFW_TLV_NPTV6_NAME, pno);
950 	NPTV6_DEBUG("uidx %u, type %u, err %d", ti->uidx, ti->type, err);
951 	return (err);
952 }
953 
954 static struct named_object *
955 nptv6_findbykidx(struct ip_fw_chain *ch, uint16_t idx)
956 {
957 	struct namedobj_instance *ni;
958 	struct named_object *no;
959 
960 	IPFW_UH_WLOCK_ASSERT(ch);
961 	ni = CHAIN_TO_SRV(ch);
962 	no = ipfw_objhash_lookup_kidx(ni, idx);
963 	KASSERT(no != NULL, ("NPT with index %d not found", idx));
964 
965 	NPTV6_DEBUG("kidx %u -> %s", idx, no->name);
966 	return (no);
967 }
968 
969 static int
970 nptv6_manage_sets(struct ip_fw_chain *ch, uint16_t set, uint8_t new_set,
971     enum ipfw_sets_cmd cmd)
972 {
973 
974 	return (ipfw_obj_manage_sets(CHAIN_TO_SRV(ch), IPFW_TLV_NPTV6_NAME,
975 	    set, new_set, cmd));
976 }
977 
978 static struct opcode_obj_rewrite opcodes[] = {
979 	{
980 		.opcode	= O_EXTERNAL_INSTANCE,
981 		.etlv = IPFW_TLV_EACTION /* just show it isn't table */,
982 		.classifier = nptv6_classify,
983 		.update = nptv6_update_arg1,
984 		.find_byname = nptv6_findbyname,
985 		.find_bykidx = nptv6_findbykidx,
986 		.manage_sets = nptv6_manage_sets,
987 	},
988 };
989 
990 static int
991 destroy_config_cb(struct namedobj_instance *ni, struct named_object *no,
992     void *arg)
993 {
994 	struct nptv6_cfg *cfg;
995 	struct ip_fw_chain *ch;
996 
997 	ch = (struct ip_fw_chain *)arg;
998 	IPFW_UH_WLOCK_ASSERT(ch);
999 
1000 	cfg = (struct nptv6_cfg *)SRV_OBJECT(ch, no->kidx);
1001 	SRV_OBJECT(ch, no->kidx) = NULL;
1002 	ipfw_objhash_del(ni, &cfg->no);
1003 	ipfw_objhash_free_idx(ni, cfg->no.kidx);
1004 	nptv6_free_config(cfg);
1005 	return (0);
1006 }
1007 
1008 int
1009 nptv6_init(struct ip_fw_chain *ch, int first)
1010 {
1011 
1012 	V_nptv6_eid = ipfw_add_eaction(ch, ipfw_nptv6, "nptv6");
1013 	if (V_nptv6_eid == 0)
1014 		return (ENXIO);
1015 	IPFW_ADD_SOPT_HANDLER(first, scodes);
1016 	IPFW_ADD_OBJ_REWRITER(first, opcodes);
1017 	return (0);
1018 }
1019 
1020 void
1021 nptv6_uninit(struct ip_fw_chain *ch, int last)
1022 {
1023 
1024 	if (last && nptv6_ifaddr_event != NULL)
1025 		EVENTHANDLER_DEREGISTER(ifaddr_event_ext, nptv6_ifaddr_event);
1026 	IPFW_DEL_OBJ_REWRITER(last, opcodes);
1027 	IPFW_DEL_SOPT_HANDLER(last, scodes);
1028 	ipfw_del_eaction(ch, V_nptv6_eid);
1029 	/*
1030 	 * Since we already have deregistered external action,
1031 	 * our named objects become unaccessible via rules, because
1032 	 * all rules were truncated by ipfw_del_eaction().
1033 	 * So, we can unlink and destroy our named objects without holding
1034 	 * IPFW_WLOCK().
1035 	 */
1036 	IPFW_UH_WLOCK(ch);
1037 	ipfw_objhash_foreach_type(CHAIN_TO_SRV(ch), destroy_config_cb, ch,
1038 	    IPFW_TLV_NPTV6_NAME);
1039 	V_nptv6_eid = 0;
1040 	IPFW_UH_WUNLOCK(ch);
1041 }
1042 
1043